* Kenneth Simpson <[EMAIL PROTECTED]> wrote: > In the event someone hasn't already pointed this out, there doesn't appear > to be patch for CAN-2004-0488 (buffer overrun in mod_ssl) in Apache 2.0.50 > as indicated on http://httpd.apache.org. > > I quote: > > "This Announcement notes the significant changes in 2.0.50 as compared > to 2.0.49." > > "Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a > (trusted) client > certificate subject DN which exceeds 6K in length.| [CAN-2004-0488 > <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488>]"| > > mod_ssl doesn't change when upgrading from Apache 2.0.49 to Apache 2.0.50.
Sure, it does, for example: http://cvs.apache.org/viewcvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.82.2.12&r2=1.82.2.13 Perhaps an error occured during your upgrade? Did you use a vanilla apache and did you verify the download with pgp or md5? nd -- "Umfassendes Werk (auch fuer Umsteiger vom Apache 1.3)" -- aus einer Rezension <http://pub.perlig.de/books.html#apache2>
